Thousands of PoS and accounting systems compromised by new malware

Literally thousands of PoS (point-of-sale), grocery management and accounting systems globally have
been compromised by a new strain of malware, results of a March 2014 security investigation probe have
revealed.

During a survey of compromised terminals, the Nemanja botnet was singled out as one of the
biggest of the lot.

After infiltrating various small businesses and grocery stores, the botnet then sets up a means
to lift credit card numbers and other sensitive data from the compromised systems.

Cyber-intelligence firm IntelCrawler said it had detected no less than 1,478 hosts infected
by Nemanja in countries as far apart as Australia, Israel and Zambia.

Various systems in Britain, the United States and Germany have also been infected by the keylogging
malware.

"The Nemanja case has shown that cybercriminals have started to join PoS malware with keyloggers
in order to intercept credentials of various back-office systems and databases in order to gain
access to payment or personal identifiable data," IntelCrawler said in an advisory.

"During the investigation on the Nemanja botnet, over a thousand infected and compromised PoS terminals,
accounting systems and grocery management systems were clearly identified," it added.

The latest malware is part of a larger trend of cybercrooks using it to target retailers’
office systems and cash registers.

Malware including RAM-scraping nasties such as Alina, BlackPOS, Dexter, JackPOS, VSkimmer and
their variants have been planted using either drive-by-download and remote hacking of administration
channels.

Such malware is then used to lift sensitive information from compromised systems. For example, a
variant of the BlackPOS was reportedly used in the final phase of the multi-stage attack against U.S.
retail giant Target.

The estimated 40 million credit card records from the Target breach have subsequently been
offered up for sale through underground hacking forums and the sheer volume of information has
had the effect of pushing down the cost of compromised details, as a blog post by security researchers
at McAfee says.

In other internet security news

Dogevault.com, a website that supposedly holds the cryptocurrency Dogecoin in conditions of
optimal security, has gone offline.

The site now publishes the following message-- ``Notice: We apologise for the downtime, a press
release will be posted here within 24 hours. Please do not transfer any funds to Dogevault addresses
while our investigation is under way. Email support@dogevault.com for any enquiries.``

Then, at 8.27 AM EST the following message was posted-- ``Announcement: On May 11, 2014, the Doge
Vault online wallet service was compromised by attackers, resulting in a service disruption and tampering
with wallet funds. As soon as the administrator of Doge Vault was alerted, the service was halted.``

``The attackers had already accessed and destroyed all data on the hosted virtual machines. We
are currently in the process of identifying the extent of the attack and potential impact on user's
funds.``

``This involves salvaging existing wallet data from an off-site backup. We will also closely be
investigating potential attack vectors, and determining the security breach which enabled the attacker's
to compromise the service in the first place.``

``Please do not transfer any funds to Doge Vault addresses while our investigation is under way.
Thank you for your patience-- we will issue an additional statement including our findings and plan of
action within the next 24-48 hours. Email support@dogevault.com for any enquiries. Doge Vault.``

After Bitcoin's Mt. Gox went bankrupt not so long ago,
now some observers are wondering if the same fate could happen to Dogecoin. And you can't blame
them for thinking along those lines.

Speculation is rife in posts like a Reddit missive that the site was hacked, taking with it at least
950,000 Dogecoins. Another report suggests up to 111 million Dogecoins seem to have mysteriously appeared
in a “mega wallet” linked to Dogevault.

With the Dogecoin to the US dollar exchange rate running at about 1000:$0.46, that's about $51,000
hardly the millions suspected to have evaporated from Bitcoin exchange Mt Gox but still a nasty lot of
cryptocash to lose, nevertheless.

If Dogevault has indeed been fatally compromised it will make it harder to sustain cryptocurrency
enthusiasm. Whatever the upsides of the concept, security of some participants clearly needs to be
tightened, and in a very big way.

Microsoft's security department said yesterday it will release no less than eight security
updates next Patch Tuesday to stop remote-code execution bugs in Windows and Internet Explorer,
among other various security bugs.

Meanwhile, Adobe will issue new versions of Acrobat and Reader for this month's Patch Tuesday as
well, so May 13 will be a busy day for system admins and IT departments everywhere.

Two of the security updates from Microsoft are rated as very critical because they allow miscreants
to execute code from vulnerable systems from afar-- the Windows operating system from Server 2003 to
Windows 8, web browser Internet Explorer 6 to 11, and some SharePoint-related software, are all at risk,
Microsoft warns.

The other six updates are labelled important-– one is a remote-code execution hole, four lead
to privilege escalation and one allows hackers to bypass security protections altogether.

The affected software includes Microsoft Office 2007 to 2013, Windows and the .NET Framework.

As is always the case, Microsoft holds off documenting the security vulnerabilities in further
detail prior to the patch release for obvious reasons.

The May 13 security release will be the first in more than 10 years to not include any bulletins for
Windows XP.

The outdated operating system was officially retired from support by Microsoft on April 8, though
subsequent exploitation of flaws in the OS by miscreants has forced the company to issue an out-of-band
update, nevertheless.

Adobe, meanwhile, will issue an update for four versions of its Reader and Acrobat software. The
Adobe fix will address critical security flaws in both the Windows and OS X versions of Reader and
Acrobat 10 and 11.

Users and system administrators are well advised to test and deploy all of next Tuesday's security
patches as soon as possible or risk falling victims to exploits targeting the newly disclosed security
vulnerabilities.

In other internet security news

Online marketing and URL-shortening firm Bit.ly has warned its users that its system has been
hacked into by unknown parties and then urged that its users change their passwords as soon as
possible.

In a security advisory, the company says-- "We have strong reasons to believe that Bitly account
credentials have been seriously compromised but that we have no indication at this time that any
accounts have been accessed without permission."

The company also promises that it has "already taken proactive measures to secure all paths that
led to the compromise in the first place, and then ensure the security of all account credentials
going forward."

However, don't get too comfortable. Bit.ly strongly encourages its users to employ OAuth to
link their accounts with Facebook and Twitter.

As an additional layer of safety, the firm has severed those links to stop account hijacking and
to help prevent another potential attack.

It's high time to change those passwords and even if you can't recall signing up for Bit.ly it
may be worth checking to see if you ever linked your social media accounts to the service.

For its part, OAuth makes it relatively easy to make such links, and also a breeze to forget
you ever did so.

In other internet security news

Personal data describing over 1.3 million customers of Frech ISP Orange has been stolen in
the second hack attempt to hit that provider this year alone. And now customers are really starting
to wonder in droves.

Overall, hackers made off with subscriber names, dates of birth and phone numbers of about 4.9 percent of
the ISP's whole subscriber base.

Orange-France said hackers accessed data used for its email and SMS marketing campaigns but
did not disclose how the April 18 breach was executed.

Worse, it took almost three weeks since the initial discovery of the breach to probe for security vulnerabilities
and then analyse the extent and nature of the stolen data.

In a statement, the company said the stolen information could be used to phish subscribers using
email, SMS and phone calls.

Customers took to the telco's Facebook page to express their anger over the breach with some receiving
phishing emails relating to bounced invoice payments.

Orange France confirmed that it did not ask for bank details via email or SMS but it was unclear if
the phishing attacks were related to the breach or not.

These hacking attacks came a little over two months after over 800,000 customer details were stolen by
hackers raiding the telco's 'My Account' page. Criminals made off with names, email and street addresses,
customer IDs, and phone numbers.

In September 2013, hackers attacked Vodafone in Germany making off with names, addresses and bank
details of over two million subscribers. It now appears that Europe is a breeding ground for phone
and computer attackes of various types.

In other internet security news

US Casino operator Affinity Gaming has had its credit card processing system hacked into for the second time in less than a
year.

The Las Vegas-based company said that hackers were successful in breaching a system in April that processed customer credit and
debit cards, but that it had no evidence at that time that cards were compromised.

"Affinity Gaming and its IT experts indicate that no credit card data was stolen after late afternoon April 28, 2014," it said in
a statement.

Affinity Gaming, which ran eleven casinos across four U.S. states, recruited security consultancy firm Mandiant to investigate the
security breach.

It did not say how many customers may be affected, however. The security breach comes after the company's payment systems were hacked into
last year with up to 300,000 credit cards compromised.

Worse, hackers had maintained full access to the payment systems between March and October 2013. Black hats also owned payment systems
operating at a gas station run by parent company Terrible Herbst.

In Febuary 2014, the websites of several Las Vegas casinos were also defaced after Sheldon Adelson suggested the United States bomb Iran.

In other internet security news

A group of researchers from universities in Luxembourg, Germany and the United States say they can dramatically improve the
detection of privacy leaks between various processes in the Android operating system.

The researchers, led by Li Li of the University of Luxembourg, are looking for various methods to identify mobile apps that send
private data outside the app's own domain without the user's consent (often by accident), via intra-component leaks, inter-component
communications (ICC) and also inter-application communication (IAC).

They claim that the tool they describe in this paper at Arxiv detected 88.3 percent of inter-component privacy leaks, and when used
in combination with ApkCombiner, also detected inter-application privacy leaks as well.

As noted in the paper, privacy leaks have been the subject of lots of academic research into Android, with Yajin Zhou a noted
discoverer of different kinds of leaks.

The Android components that can contribute to those leaks include calls like StartActivity, StartActivityForResult, Query, StartService and so on
and so forth.

To be sure, the Li Li paper outlines a technique called Static Taint Analysis, using a tool called IccTA that analyses inter-component and
inter-app links.

IccTA takes existing tools Epicc (from Pennsylvania State University, whose Damien Octeau and Patrick McDaniel contributed to the study)
and FlowDroid (the German contribution, with Steven Arzt, Siegfried Rasthofer and Eric Bodden from EC SPRIDE), and extends them into
the Android environment.

Their goal is to look both at how an app behaves both on its own, and how it interacts with other apps-- “IccTA enables a data-flow analysis between
two components and adequately models the lifecycle and callback methods to detect ICC based privacy leaks,” the researchers wrote.

“When running IccTA on three thousands applications randomly selected from the Google Play store as well as other third-party markets, it
detects 130 inter-component based privacy leaks in twelve applications.”

The good news must be that only a dozen apps out of the 3,000 tested actually revealed privacy leaks. Li Li's colleagues at the University
of Luxembourg, Alexandre Bartel, Jacques Klein, Yves Le Traon, also took part in the project.